The latest ruling in the lawsuit filed by WhatsApp against the NSO Group bars the spyware maker from targeting the communication app’s users, but also significantly reduces the punitive damages awarded earlier this year by a jury.
WhatsApp filed a lawsuit against NSO in 2019, after it came to light that a zero-day vulnerability had been exploited to deliver spyware to approximately 1,400 WhatsApp users.
A judge ruled in December 2024 that NSO Group is liable for the hacking of WhatsApp users, and in May 2025 a jury ordered the spyware maker to pay more than $444,000 in compensatory damages and $167 million in punitive damages.
NSO appealed the jury’s decision, arguing that WhatsApp should not be awarded more than $1.77 million. In addition, WhatsApp has sought an injunction to prevent NSO from targeting its users, which NSO argued would put its entire enterprise at risk and “force it out of business”.
In a ruling dated October 17, US District Court Judge Phyllis Hamilton granted a permanent injunction barring NSO from hacking WhatsApp.
“Essentially, part of what companies such as WhatsApp are ‘selling’ is informational privacy, and any unauthorized access is an interference with that sale,” the judge wrote in the ruling. “Defendants’ conduct serves to defeat one of the purposes of the service being offered by plaintiffs, which constitutes direct harm.”
NSO has been ordered to stop reverse engineering WhatsApp and to no longer create new WhatsApp accounts. It must also delete and destroy WhatsApp source code it possesses.
On the other hand, the ban is limited to WhatsApp and it does not apply to other Meta services such as Instagram and Facebook, as requested in the complaint against NSO.
“Today’s ruling bans spyware maker NSO from ever targeting WhatsApp and our global users again,” WhatsApp stated following the ruling. “We applaud this decision that comes after six years of litigation to hold NSO accountable for targeting members of civil society.”
While Hamilton sided with WhatsApp on this matter, the judge ruled that the punitive damages awarded by the jury were excessive and reduced the amount from $167 million to just over $4 million, which is nine times the compensatory award, as dictated by rules that limit awards based on misconduct severity.
NSO’s spyware is advertised as a legitimate surveillance tool designed to help government organizations fight terrorism and other types of crime. However, it has often been used by authoritarian regimes to target opponents, including human rights activists and journalists.
The company has denied any wrongdoing, arguing that it is not responsible for how customers use its solutions.
NSO was recently acquired by a group of American investors led by Hollywood producer Robert Simonds in a deal reportedly valued at several tens of millions of dollars. The ownership of NSO has changed several times in recent years, between founders and various private equity firms. The latest acquisition transfers controlling ownership out of Israel.
Related: Ex-NSO Group CEO’s Security Firm Dream Raises $100M at $1.1B Valuation
Related: Ex-WhatsApp Employee Sues Meta Over Vulnerabilities, Retaliation
